lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 3 Sep 2020 14:10:33 +0530 From: Vinod Koul <vkoul@...nel.org> To: trix@...hat.com Cc: yung-chuan.liao@...ux.intel.com, pierre-louis.bossart@...ux.intel.com, sanyog.r.kale@...el.com, natechancellor@...il.com, ndesaulniers@...gle.com, shreyas.nc@...el.com, alsa-devel@...a-project.org, linux-kernel@...r.kernel.org, clang-built-linux@...glegroups.com Subject: Re: [PATCH v2] soundwire: fix double free of dangling pointer On 02-09-20, 13:26, trix@...hat.com wrote: > From: Tom Rix <trix@...hat.com> > > clang static analysis flags this problem > > stream.c:844:9: warning: Use of memory after > it is freed > kfree(bus->defer_msg.msg->buf); > ^~~~~~~~~~~~~~~~~~~~~~~ > > This happens in an error handler cleaning up memory > allocated for elements in a list. > > list_for_each_entry(m_rt, &stream->master_list, stream_node) { > bus = m_rt->bus; > > kfree(bus->defer_msg.msg->buf); > kfree(bus->defer_msg.msg); > } > > And is triggered when the call to sdw_bank_switch() fails. > There are a two problems. > > First, when sdw_bank_switch() fails, though it frees memory it > does not clear bus's reference 'defer_msg.msg' to that memory. > > The second problem is the freeing msg->buf. In some cases > msg will be NULL so this will dereference a null pointer. > Need to check before freeing. Applied, thanks -- ~Vinod
Powered by blists - more mailing lists